Dovecot handles mailbox access and authentication, so transport encryption and auth controls are mandatory. This guide focuses on security best practices for Dovecot 2.4.x.
¶ TLS and Authentication Security
¶ Mandatory TLS Enforcement
Enforce TLS for all IMAP/POP3 connections and disable plaintext authentication on unencrypted channels:
In /etc/dovecot/conf.d/10-auth.conf:
# Disable plaintext authentication on unencrypted connections
disable_plaintext_auth = yes
# Require SSL/TLS for authentication
ssl = required
- Use strong password hashing schemes (SHA512-CRYPT, Argon2)
- Implement external authentication via LDAP/Active Directory/Keycloak
- Enable two-factor authentication where possible
- Use certificate-based authentication for administrative tasks
Configure login failure throttling in /etc/dovecot/conf.d/10-auth.conf:
# Login failure delay (to slow down brute force attacks)
login_failure_delay = 2 secs
# Authentication cache (to reduce load on external auth backends)
auth_cache_size = 10M
auth_cache_ttl = 1 hour
auth_cache_negative_ttl = 10 mins
¶ Mailbox and Storage Security
Restrict mailbox and index directory permissions:
# Mail directories should be owned by the mail user
chown -R vmail:vmail /var/mail
chmod -R 700 /var/mail/*/Maildir
- Separate mail user accounts from shell users
- Use dedicated system user (e.g.,
vmail) for mail storage
- Implement proper chroot environments
- Use different UIDs/GIDs for different mail domains if needed
- Encrypt storage volumes containing mail data
- Encrypt backup archives
- Secure temporary files and indexes
- Consider using LUKS encryption for mail partitions
¶ Service and Network Security
Configure service restrictions in /etc/dovecot/conf.d/10-master.conf:
# Service limits and security
service imap-login {
inet_listener imap {
# Disable plaintext IMAP port (143) in production
# port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
# Process limits
process_min_avail = 0
process_limit = 100
vsz_limit = 64M
}
# Limit dict processes for security
service dict {
unix_listener dict {
mode = 0600
user = dovecot
group = dovecot
}
}
- Use firewall to restrict access to mail ports
- Implement IP-based access controls where appropriate
- Use fail2ban or similar tools for additional protection
- Consider using a reverse proxy for additional security layer
In /etc/dovecot/conf.d/10-mail.conf:
# Prevent access to other users' mail
first_valid_uid = 1000
last_valid_uid = 0 # Disallow root access to mail
# Secure mail location
mail_location = maildir:~/Maildir:LAYOUT=fs
# Disable dangerous plugins by default
mail_plugins = $mail_plugins
Carefully audit and limit loaded plugins:
# Only load necessary plugins
mail_plugins = $mail_plugins quota acl
¶ Logging and Monitoring
Configure detailed logging in /etc/dovecot/conf.d/10-logging.conf:
# Log level and destination
log_timestamp = "%Y-%m-%d %H:%M:%S "
syslog_facility = mail
# Log authentication failures
auth_verbose = yes
auth_debug = no # Enable only for troubleshooting
mail_debug = no # Enable only for troubleshooting
# Log suspicious activities
auth_verbose_passwords = no # Don't log passwords
- Log all authentication attempts and failures
- Monitor connection rates for anomalies
- Track configuration changes
- Alert on failed login bursts (potential brute force)
- Monitor service availability and performance
Dovecot 2.4 includes enhanced security features:
- Stricter configuration parsing reduces misconfiguration risks
- Improved sandboxing for processes
- Enhanced authentication security
- Better protocol implementations with security fixes
When upgrading to 2.4.x:
- Review all plugin configurations as syntax may have changed
- Test authentication methods thoroughly
- Verify that security settings remain effective
- Check that logging and monitoring still function correctly
¶ Compliance and Auditing
- Regular configuration reviews
- Vulnerability scanning
- Penetration testing
- Access control audits
- Data retention policies
- Privacy controls
- Audit trail maintenance
- Secure deletion procedures
- Integrate security scanning into CI/CD pipelines
- Regular vulnerability scans of running services
- Automated compliance checking against security baselines
- Dependency scanning for third-party components
- Monitor for unauthorized configuration changes
- Implement configuration management with drift detection
- Use immutable infrastructure where possible
- Regular configuration audits
- Implement network segmentation for mail services
- Use dedicated VLANs for mail traffic
- Deploy intrusion detection/prevention systems (IDS/IPS)
- Implement geo-blocking for administrative interfaces
- Use VPN or private networks for administrative access
When running Dovecot in containers:
- Scan container images for vulnerabilities
- Use minimal base images
- Run containers as non-root users where possible
- Implement resource limits to prevent DoS
- Use read-only root filesystems
- Implement secrets management for sensitive data
- Have a documented incident response plan
- Know how to quickly disable services if needed
- Maintain offline backups of configurations
- Document recovery procedures
- Establish communication protocols during incidents
- Regular incident response drills
- Preserve evidence during security incidents
- Maintain tamper-proof logs
- Have isolated tools for forensic analysis
- Document the chain of custody for evidence
¶ Compliance and Auditing
Consider implementing security frameworks:
- NIST Cybersecurity Framework
- ISO 27001/27002 standards
- SOC 2 compliance requirements
- Industry-specific regulations (GDPR, HIPAA, etc.)
- Implement 24/7 security monitoring
- Set up automated alerting for security events
- Regular penetration testing
- Vulnerability assessments
- Security posture reviews